Security and Risk Management Strategies Blog

Blogger: Eric Maiwald

We are in a time of rapid change – of course this is not news to anyone working in IT. Virtualized environments, cloud computing, software as a service, and mobile workers have changed much of what was normal in the world of IT. If these things haven’t reached you yet, they will soon as the economic downturn forces executives to look for ways to cut costs.

There is one thing that all of these technologies and trends have in common – information or data is moving. Our information is no longer safely locked away in a database on a huge mainframe in a physically secure data center some place. Instead, the information is moving from server to server, data center to data center, and vendor to vendor. Even our own employees are moving information all over the place as they extract information into spreadsheets and store it on local hard drives, USB sticks, and handheld devices. All this mobility is enough to give a security guy the shakes.

Let’s take a quick look at the major new technologies and trends and see what can help:

Virtualization
Virtualization means that applications can be placed on different physical hardware so as to utilize the hardware more efficiently. Specific applications will not live on specific servers any longer. Moving applications around will impact network zoning and other static controls. We can look for security tools that live within the virtual environments but they are only beginning to appear. An alternative is to package some controls with the application (make them a part of the virtual environment that moves with the application). Controls such as host intrusion prevention might help here. Process and procedures may also help. Define risk levels or control requirements for each application and use that criterion as the basis for determining which physical machines are appropriate for different applications.

Cloud Computing
Cloud computing encompasses a lot of things including hosting services and SaaS (I’ll deal with SaaS in a moment). If servers and applications are hosted at someone else’s data center you may not be able to install all of the network controls that you have at your own data center. So here again, moving the controls into the server (or virtual machine or the part of the application that you control) may alleviate some of the problems. Take for example, web application firewalls (WAFs) – you may not be able to deploy a WAF in front of your servers at a hosting facility. If you need the WAF functions, you might look for vendors offering software solutions that load on to the server rather than residing in a separate appliance. Contracts and SLAs are also important if your enterprise is considering hosting facilities. Make sure you check on what they are really providing and work with your legal department to include the necessary language in your contracts.

Software as a Service
SaaS is sometimes considered part of cloud computing but I wanted to call it out separately as there are some unique aspects to SaaS. The biggest issue is that you will lose all management over technical controls. You will not be in charge of firewalls, IDS/IPS, web filtering, or any other security device on the vendor’s network. At the same time, all of your data will be under the control of the vendor and its employees. So what can you do? There are three big things that can be done. First, before the vendor is chosen and the contract is signed, check out the vendor. Look to see what controls are in place and what control standards the vendor is using. Verify that the controls you’re using are appropriate to protect your data. Second, have a long talk with your legal department and make them aware of the necessary protections and the risks of a breach. See if they can negotiate with the vendor regarding the right to audit the vendor. Third, once the contract is signed, do the follow up. Audit the vendor periodically. Check on what they’re doing to make sure your information is protected.

Mobile Workers
Employees are working on the road, from home, and from coffee shops. Information is stored on laptops, USB sticks, and handheld computers. You may not even know where the information is actually going as employees may put it on their home machines or personal smartphones. Any of these devices can be lost, stolen, or just given away. For computers and devices that are owned by the enterprise, use proper protection. That means use a VPN, system firewall, and malicious software controls. Try to manage the systems properly so that they are patched and that unnecessary applications are limited. For some devices, you can install a remote erase function that will remove all data if the device or computer does not check in for a certain amount of time (note that this works better on handhelds than on laptops). You can also use encrypting USB sticks that require a password to access the data on the stick (hey even a short password is better than nothing!). If your employees are going to use non-enterprise devices you can set up terminal servers so they can access their desktops (and sensitive information) without having to store too much on the local machine. This also gives you some control over what can be copied to the local machine. When you have employees that need information on non-enterprise machines that will not have reliable network connectivity, you may need to apply controls to the information itself in the form of enterprise rights management.

That was a very quick look at some of the major trends in today’s IT. All of the controls I mentioned need to be considered in the context of the larger IT environment. In other words, do your tradeoffs and identify the risks that you can accept and those that you cannot. Try to mitigate the risks that you can’t accept. Talk to the business. Talk to the other parts of IT as some of the suggestions that I made will have big impacts on networks and servers. You can’t turn back the tide but you can work with it.

Blogger: Doug Simmons

This week I attended the “Information Assurance and Enabling Identity Management – Security 2008” conference. In light of Burton Group’s research plans to emphasize “Critical infrastructure protection and process networks” as a theme in 2009, I was very interested in the keynote address. The  keynote speaker was Steve Chabinsky, Deputy Director, Office of the Director of National Intelligence. There were about 200-250 people in attendance.

Some of Mr. Chabinsky’s more compelling comments were that he believes we “as a nation” have been seduced by technology. This has led us to become lazy, weak and vulnerable. It appears that our “economic supremacy” relies on untrustworthy technology, and that technologies have not kept pace with the threat.  As a result, the U.S. facing a grave economic and security challenge from a growing array of actors, including well resourced and persistent adversaries.  We have “weak situational awareness.” We either change the path that we’re on “or we lose.”
Mr. Chabinsky then briefed the audience on the Comprehensive National Cyber Security Initiative (CNCSI) – HSPD-23. This directive is classified at top secret level, but calls for a national priority and plan for action. The directive considers the full spectrum of threat vectors - network, supply chain, vendor, mission bridge networks - to address threats - both insider and external.
In brief, HSPD-23 has 12 initiatives:

1. Reduce government portals connected to the Internet to less than 100. Currently there are 4.500 portal connections to the Internet. A consolidation effort is planned, and  the end result will be a single, integrated line of defense to government networks.
2.  Deploy an intrusion detection system called Einstein II across the civilian-supported networks. This does not include intrusion prevention and is dependent on initiative 1 above.
3. Deploy an intrusion prevention system called  Einstein III, which will block or mitigate intrusions.
4. Coordinate and redirecting government funded R&D for cyber activities, possibly through a CTO-level Federal position.
5. Connect current cyber operational centers to share malicious activity information, in order to have an understanding of the entire threat. Mission bridging – leveraging and sharing of cyber defense information across agencies. Shared standards and procedures.
6. Define a government cyber counter intelligence plan.
7. Increase security of classified networks.
8. Expand cyber education. Academic programs teaching techniques and tools to all agencies, encouraging best practices. Even goes to civilian education, K-12, etc.
9. Define leap-ahead security strategies and programs. Get ahead of the bad guys, don’t just play catch up. Look at newer technologies.
10. Define and develop enduring deterrent strategies and programs. Group to be populated by a broad group of experts.
11. Develop a multi-pronged approach for global supply chain risk management.  This is perhaps the most challenging of the initiatives. Threats include counterfeit hardware and software provided by small and large suppliers from around the world. Supply chain and risk management standards are necessary.
12. Extend cyber security into critical private domains. Emphasis on getting the government “act in order”, then working with private sector to coordinate dialogue and approaches on cyber security.

Funding is being considered. And the “powers” behind the initiative are meeting almost daily with the executive and legislative branch to gain the appropriate funding for these initiatives. Mr. Chabinsky is pretty optimistic that the appropriate funding will be found despite the current wars and state of the economy.

This initiative, of course, opens up a whole host of issues and concerns about the Federal government’s ability to “get its act together” any time soon – before a significant, “world-changing” breach occurs. Coupled with this concern is that of the protection of U.S. citizens’ civil liberties. What will the over-arching security measures dictate with respect to “national security” at the expense of personal privacy? These are not new questions, but the fact that the directive is gaining so much attention, while remaining top secret, leaves a lot of room for further investigation and analysis by companies such as Burton Group.

Blogger: Randall Gamby 

On Monday, November 17th the Payment Card Industry Security Standards Council (PCI SSC) put out a press release announcing the creation of a quality assurance program for the assessment community, https://www.pcisecuritystandards.org/pdfs/pr_081117_qa_program.pdf.  It is being implemented in order to, “…promote consistent interpretation of the PCI standards and ensure quality is maintained among all vendors.” Through the program, the Council and assessor community is committing to:

• Uphold the best interest of the assessor client;
• Adhere to validation requirements among the assessor company;
• Adhere to validation requirements among the assessor employee;
• Maintain consistent assessor procedures and reporting;
• Interpret the PCI standards appropriately as applicable to the client’s systems & environment;
• Remain current with industry trends and PCI SSC updates in the assessor community;
• Report all opinions as factual, documented and defendable, and;
• Maintain a positive relationship between the assessor and PCI SSC.

I should say up front that I stand up and applaud this decision.

But a lot of people have been asking, “Didn’t we have this already?”

The sad reality is actually we didn’t.  There have been unofficial rumors going around the PCI world that Qualified Security Assessors (QSAs), the organizations responsible for doing attestations for the PCI SSC, are providing inconsistent interpretations of attestation requirements; QSAs, who are H/W or S/W vendors, requiring the use of their products to meet PCI compliance; QSAs recommending costly solutions to address deficiencies only to later find out there were lower cost alternatives; and QSAs having different requirements for compliance based on the merchant’s vertical market.

It’s been hard enough for many merchants to modify the way they handle credit card transactions to meet the PCI DSS.  But many have found it even harder to consistently find a QSA who can attest to their compliance.  At Burton Group we get a lot of questions around the differences in how QSAs look at compliance and how to select a QSA. So in September I felt compelled to publish a podcast on these topics, http://podcast.burtongroup.com/ip//2008/09/selecting-a-pay.html. 

Think about it, as a PCI architect goes to their management team in this downturn economy and asks for funding; when management asks, “If we give you the funding for your request will this will make us PCI compliant?”  And you know they will.  The architect has to honestly respond, “Well, yes, assuming we can find a compatible QSA that will sign off on our architecture.”  Not a strong message to send to management while their “high risk” alarms begin to go off in their heads.  Compliance should be based on whether your actions and architecture actually “meet” the requirements of the standard, not whether the QSA “feels” you meet them. 

So as I said at the beginning, I applaud the PCI SSC’s decision to put a quality assurance program in place but until the program is in full effect (it will be rolled out in a four-stage process throughout 2009), merchants will still have to carefully select their QSA if they want to maximize their chance of achieving compliance.

Blogger: Phil Schacter

The more we debate who owns security and is responsible for enforcing compliance and technical controls, the more we should realize that security needs to be everywhere and everyone needs to be involved. The days of IT security being effectively operated by the mainframe RACF or ACF2 administrator, or by the network security operations team administering firewall and router ACLs, are long gone.

A few examples of the many places where security resides within the organization and business environment:

• Security controls operate on the devices that access business IT functions, subject to the security-aware user avoiding actions that would compromise the device.
• Other controls are enforced by file management systems, content management systems, and enterprise data base management systems to ensure that users are only able to access information that is required based on their current job function, organization role, or relationship to the business.
• Custom and commercial developers are responsible for delivery of software  that is well tested and free of known code vulnerabilities.
• Network and content monitoring tools should recognize unacceptable behaviors and be able to determine accountability at the user, device, or application/service level.

A failure anywhere within the information, application, or identity life cycle could break security and expose the business to a growing array of insider or external threats, in spite of our best efforts to implement a defense-in-depth strategy.

A systematic approach to security is clearly needed to establish security as a basic quality to our IT-enabled business services. Security cannot be imposed and realized by an external regulator, or by a CISO drafting a new policy document, or by implementing all of the recommendations coming out of an IT audit report.

One of the steps that an organization can take to improve security across all aspects of the business and the IT organization is to have business executives clearly communicate to all employees the importance of  security to the brand and economic well being of the organization. A continuous security awareness and education program is needed to help all users and IT staff appreciate why security is important to the success of the business, and how individual actions contribute to the effectiveness of security controls. Such an awareness program is a bargain with minimal impact on the overall IT and security budget, often leveraging existing internal newsletters and electronic communication programs.

Security is also not something an organization can purchase from any vendor or combination of vendors. Achieving business and security goals requires everyone in the organization to play their part. This effort may be as simple as being aware when someone is paying too much attention as you enter your password, or attempt to tailgate as you enter a secure facility, or not accessing a private web mail service that circumvents organizational malware filters.  You get the idea…

Blogger: Ramon Krikken

With Data Leakage Prevention (DLP) being one of the ‘hot products’ for 2008, It should be no surprise that nearly every single loss of sensitive information results in one or more “our product would have prevented this” messages from the different vendors. The latest incident where a USB flash drive containing sensitive usernames and passwords was left in the parking lot of a pub in the U.K. is no exception. And while it is certainly the case that a DLP solution might have prevented the storing of such data on the USB drive, it always makes me wonder if it provides the best control for its cost.

In the ideal world, security would be integral to the data. Enterprise Digital Rights Management (e-DRM) offers some promise, but lack of interoperability standards and never-ending discussions on how to implement encryption, key management, and make data accessible off-line quickly derail the effort. More mature would be disk and file encryption technologies, but when implemented with poor controls such as simple passwords and not automatically requiring or enabling encryption on removable devices they also quickly lose their effectiveness. So we tried the next best solution: preventing data from going or being where it isn’t supposed to. It’s not that the discussions on the what, where, and how are necessarily less heated, but at least there is some emerging body of evidence on how to make it work for certain use cases. Network content detection can work well for accidental disclosures via email, agent-based contextual detection can be a better alternative when the enterprise is concerned about employees stealing trade secrets using their iPod. But still, using or not using the active prevention features of DLP is a contested race.

We expected this, of course: because active blocking technologies are very visible to users in the case of failure (in this case a false positive, where something is blocked even though it’s an approved operation) the security teams and IT departments are, rightfully so, concerned about inhibiting business. Unless the environment and culture are conducive to this kind of rigid control with the occasional problem – or unless the security and IT team have the time and resources for a careful roll-out and endless fine-tuning – using blocking technologies can be a risky proposition. The alternative is to use DLP solutions to scan data repositories in order to find sensitive information, which is certainly helpful in a time when many enterprises aren’t even sure what data lives where. To me this loses some of the value proposition of DLP, but in some cases – especially if combined with classification and ‘tagging’ of the information – it may certainly be good enough. If nothing else it is a helpful tool in the identification and classification of data in the organization, a journey on which most companies have hopefully embarked on by now.

Things of course always get more complicated – not easier. Software as a Service (SaaS), cost-cutting by having employees use their own equipment, and the need to share with business partners are an ever increasing inhibitor of centralized controls, and DLP is no exception. Coupled with the cost of acquiring, implementing, and maintaining the solution it does raise the question whether already scarce budgets would be better spent on other controls … or whether the cost of maintaining security in such environments outweighs the cost savings to begin with.

In the end it’s all a matter of risk versus reward. Although I predict a much brighter future for preventive controls such as encryption and rights management, it’s certain that today’s environment – and from the looks of it, tomorrow’s as well – is much more conducive to detective and reactive technologies. Working from the use and abuse cases as a starting point, enterprises should be able to evaluate not only the functionality of DLP solutions, but also be able to make at least an educated guess on their cost effectiveness.

Blogger: Dan Blum

As I wrote in an earlier post about our Catalyst SIG, Burton Group is working with vendors and end user organizations in the industry to promote common event and log standards. Last week, progress continued as a Common Event Expression (CEE) conference call convened by Mitre brought what may be important clarification on the scope of the effort. Also, participants from Open Group’s XDAS group (including our own Bob Blakley) were added to the CEE editorial board, and an important IETF effort to enhance Syslog came to light.

After the conference call, Mitre summarized the scope discussion as follows:

“CEE will be the most valuable to the community if we take a top-down approach. This means that we start with a couple high-level use case drivers, such as regulatory compliance requirements as well as other log guidance, and determine what log types and data are necessary to meet those needs.

CEE should aim to be a lightweight standard. However, it needs to be flexible/extensible enough to support larger, more complex uses.

At minimum, CEE should require a timestamp and some sort of event classification.

The standard log data should be self describing, possibly in the form of name-value pairs. The next version of Syslog (currently in draft version in IETF) can probably support this within structured data blocks.”

It’s important to caution that the migration towards log and event standards will be a gradual, evolutionary process that won’t replace log and event chaos with a wholly uniform approach. One vendor noted on the call that there are many different eventing/logging use cases and sources, therefore “It would be disastrous to decree a single representational format like XML” and “I don’t see [my company] dropping all investment on rich logging infrastructure and adopting Syslog.”

Even if we don’t get to uniformity, Burton Group strongly agrees that something along the lines of the proposed standard would bring great value to the industry, and we are encouraged by the progress so far. As the ideas become more fully baked, we plan to encourage customers and clients not to wait, but to begin mandating these same log/event coherence concepts (such as event classification, timestamps, and data self-description mechanisms) for the systems and software they buy and develop.

CEE members are also working on defining use cases for event management, and a work-in-progress data dictionary. Now is a good time for security information event management vendors, log management vendors, and enterprise security practitioners to get involved; to participate in or monitor the CEE effort directly, see http://cee.mitre.org/.

[blogger: Trent Henry]

In identity management, there’s considerable discussion about understanding organizational roles and how toxic combinations of user access can result in fraudulent activity.

At Burton Group’s Catalyst Conference today, UBS’s Mark Swift described this as a “classic” approach to examining security and said it wasn’t adequate for his organization. Mark said, “What we thought of as roles would actually not help us” in the fight against fraud (no small issue in today’s financial-services environment).

Why not?

Several reasons.

Although UBS initially created functional job descriptions and mappings of user activities, they found that these weren’t sufficiently granular and missed important details because of its top-down approach. Instead, they needed a bottom-up approach that focused on data and business process.

Here’s an example challenge: Switzerland has a multiple-hundred-year-old rule mandating that if a party has entered into a contractual relationship, their identity can’t be revealed. Typically in an enterprise, “account representatives” (as a role) would be granted fairly liberal access to a customer record. But for Swiss clients, even an account representative can’t be allowed to see such information, so a role-based model won’t be granular enough to properly enforce policy. This is what Mark described as “jurisdictional data protection” and requires a new process:

1. Map out data (Ask: what information and attributes do applications care about?)
2. Determine what actions must be performed on this data to carry out business processes
3. Analyze what conflicts in data processing can cause harm (or lead to fraud) [For example read/write access to data that allows both booking a financial trade and settling/reconciling the trade]
4. Create a heat map that provides an at-a-glance assessment of where data, applications, and user access allows for potentially fraudulent activity

This is not a simple task. Mark commented, “Application rights for anything other than trivial systems are complex and are often dynamic depending on application-side rules.” This means that security and risk management teams must have deep understanding (or engage with business leaders who have such understanding) of application processes.

Here’s a challenge that comes to mind for me…

It seems there’s a fundamental economic problem for security teams in financial services. Nick Leeson implied this in his talk as well. In order to prevent fraud, management and security/audit oversight teams must have deep understanding of business processes (and in trading, financial instruments) to determine when bad things can happen. The problem is that when someone has obtained this level of understanding, then they are well positioned to actually serve as a trader rather than risk manager. And there's a strong economic pull to go in that direction, rather than as security personnel.

So data-centric security is powerful and important, and leads to much better understanding of business process. But will that have an adverse impact on retaining knowledgeable risk professionals? Let's hope not, because I think data-centric approaches are the road ahead.

[Blogger: Trent Henry]

Burton Group has long covered enterprise digital rights management (known varyingly as ERM or E-DRM). Our most recent report on E-DRM describes the technology as “driving security to the data.” Similar to consumer DRM schemes that protect Windows media or Apple iTunes content, E-DRM uses cryptography and fine-grained policies to limit what a user can do with data. Unlike consumer media, however, E-DRM is used exclusively by enterprises to protect corporate data and is typically targeted at word processing files, spreadsheets, email, and related content.

Here in Prague at Burton Group’s Catalyst Conference, many of our security talks have been geared around the trend of information-centric security. As a result, several attendees have approached me to ask, “Where is E-DRM going?”

Good question, but a hard one, because even Burton Group is of a mixed mind on the topic. On one hand, we see E-DRM as software-based technologies whose consumer counterparts have suffered one break (attack) after another. In short, they’re low-surety solutions. In addition, the products suffer from an in-your-face user experience that necessarily adds complexity for employees. On the other hand, E-DRM is arguably the finest example of security surrounding data itself: fine-grained policies (e.g. “You cannot print this document and may only email to other Finance Group members”), cryptographic protection, and prevention of other sorts of leakage (e.g. no copy/paste to unauthorized applications).

The vendor landscape for E-DRM has changed substantially in the last 18 months. Microsoft has made significant strides in adding E-DRM support to SharePoint. Oracle, through its acquisition of Stellent, picked up SealedMedia. And EMC, through its acquisition of Documentum, did the same with Authentica. The remaining standalone vendors are Adobe and Liquid Machines. It’s clear that vendors are solving one typical objection to E-DRM: the management of yet another silo of policies. By linking Enterprise Content Management (ECM) and E-DRM, the content repository’s security settings can automatically be reflected in DRM-protected documents that leave the ECM environment.

Where does that leave us?

•  We have cautious optimism that E-DRM will continue to receive uptake, even though today’s deployments tend to be relatively small and tactical.
• We expect vendors to enhance protection, making use of trusted platform modules for integrity validation and hardware cryptomodules for improved cryptography handling.
• We expect additional integration between rights management and content management solutions.
• Ultimately, we think there will be interesting synergies between virtualization and E-DRM, where mobile workloads (on virtual machines) and the sensitive content they contain can be managed, tethered, and persistently secured via rights-management no matter where a machine image lands.

Blogger: Eric Maiwald

It is Catalyst time again – it seems like just the other day we were holding Catalyst North America in San Diego. This week Burton Group is hosting Catalyst Europe in Prague. The security service does not have a track on the first day of the conference so I attended the Planning for Pervasive Mobility track (I also had a talk to give in this track so it made a lot of sense for me to be there!).

It seems that mobility is important for enterprises and employees and wireless technology is improving to help us be more mobile. Paul Debeasi (Burton Group Senior Analyst in the Network and Telecom Service) talked about 802.11n and how it is good enough to be used as an Ethernet replacement. You can see what he wrote about 802.11n in the NTS blog. Dan McCarriar from Carnegie Mellon University talked about their deployment of 802.11n so it is not just a standard that will generate products sometime in the future.

As enterprises begin to include more wireless networks instead of wired Ethernet, there will be additional security concerns that will need to be addressed. This could be everything from an increased use of VPN technology to the deployment of wireless intrusion detection (WIPS) to detect rogue access points and track down sources of wireless interference. Increased use of WLANs may also spur the use of network admission control (NAC) as we have seen more use of 802.1X on wireless than on wired networks.

Another change that we will need to pay attention to is the increased use of employee-owned devices on these networks. Employees (and students in the case of CMU) are increasingly interested in using their own devices (including smartphones) for work. It may not matter what controls we decide to put on endpoints if the enterprise does not own the endpoint. The ramifications of mobility do not end with security – applications will need to change to be more useful on the employee devices. Applications may also need to change to keep sensitive information off of the end point.

Lots of changes are coming and security folks will need to be able to advice enterprises about working in the new environments. 

Blogger: Dan Blum

Much as a galactic black hole sucks matter into its maw, the Crash of 2008 has seized the public’s attention. The media is engrossed with the assessment of losses, causes, blame, and – most importantly – predictions of severity for the recession to come.

Not surprisingly, an interesting survey from a friend in the media turned up in my mailbox this morning. Here is what the survey asks, and this is what I said.

Do you believe the IT security market will continue to grow during the global recession?

I’m no economist, and have little faith anymore in the predictions of those who call themselves economists. With imperfect insight into how severe the global recession to come will be, it’s difficult to say how warm or cold the IT security market will get. Also, Burton Group doesn’t specialize in quantitative research, so we can’t fall back on a lot of impressive looking numbers.

That said, it’s the job of the security analyst to look into the crystal ball – however cloudy it may be – and read the signs. My take is this: If the coming economic winter is moderate the security market will remain relatively flat given the strength of regulatory and business drivers for risk reduction. But if the economic winter is severe (as in a new Depression) all bets are off.

On the other hand, hard times tend to bring on more crime and mischief. It’s likely that new or increased IT security incidents will continue to raise risk drivers for spending.

Which sectors do you believe will continue to invest in IT security during the recession?

If its “only” a recession then stronger sectors with strong risk drivers will maintain spending, weaker sectors with weaker risk drivers will cut back, and others will see mixed results. For example:

Banking and finance may cut back spending due to severe financial losses and M&A activity, however, their tendency to cut back will be mitigated by continuing regulatory pressure on privacy and risk management fronts.

Retail would be affected in any recession and could face pressures to cut back; however, retail’s rate of IT security spending is already low, and PCI/DSS compliance mandates won’t go away.

Government, defence, and health industries will likely maintain spending. Education and insurance may maintain spending, or see mixed results.

What IT security products do you believe will continue to do well during the recession?

Many may not do well. Relative to the others some will do “better,” “worse,” or “average.” Taking the product categories as I found them in the survey:

    Encryption:                        relatively better (strong regulatory mandates)
    Biometrics:                        relatively better (government investments)
    Data leakage:                     average (big problem, but limited solutions)
    Mobile security:                  average
    ID & Access Management:   relatively better
    Gov Risk & Compliance:      relatively worse (poorly defined category/solutions)
    End point security:              relatively worse (cut spending on AV?)
    Managed security services:  relatively better (lower support costs?)
    Physical Security:                relatively worse 
    Email Security:                    average

Can you provide any growth/decline statistics/predictions for the future of the IT security market?

While we don’t trade in statistics, Burton Group has strong research forecasting IT security technology evolution and IT security market dynamics. The following reports provide a great deal of insight into the broad outlines of the future of information security:

• VantagePoint 2008: Security Vital Signs
• Shifting Defenses: Security Futures for Networks, Applications, and Data
• The Long Tail of Risk and the Dynamics of the Security Market

Do you think that the IT security sector is still a strong one to invest in?

Given risk and technology trends there is and will continue to be relatively strong demand for IT security technology. That said, most of the money in the IT security market will not be made by pure play security companies but by much larger IT “conglomerate” vendors.

Our “long tail” report describes a dynamic where security spending is driven by continually shifting threats, attacks, and risks and the market is “always consolidating, never consolidated.” There is a continual crop of startups whose technologies mostly fail, are acquired, or are replicated by platform vendors such as Cisco, CA, Microsoft, EMC, IBM, Oracle, etc.

Only venture capitalists can invest in startups and there are relatively few “pure play” IT security companies listed on stock exchanges. Most of those are small cap rather than mid cap or large cap.

What opportunities do you think the current climate will open up to the IT security industry?

The two R’s – Risk and Recession – are clearly in conflict. Organizations will be trying to reduce the amount of risk they must mitigate, and to accomplish the reduction at a lower cost.

IT buyers may be ready for disruptive innovations that lower cost even if they provide less performance or functionality in some cases. For example:

• Thin clients (not a security product, but conferring security benefits) come to mind.
• Locked down desktop and application whitelisting may help organizations take the axe to expensive anti-virus budgets.
• Outsourced or managed security services will continue to make inroads where they can deliver adequate capability and control at reduced cost

How long do you think it will take before the IT security sector is affected by the economic troubles?

a. Immediately            
b. 6 months                 
c. A year                      
d. 2 years                   

There is clearly already some immediate effect from the financial turmoil. As IT and IT security professionals, however, we shouldn’t obsess over the stock market. We need to stay focused on the businesses we are in and find ways for business to be more efficient, more effective, and (still) adequately protected.